About this blog

About Deloitte Insights

Deloitte’s Insights for C-suite executives and board members provide information and resources to help address the challenges of managing risk for both value creation and protection, as well as increasing compliance requirements.

Search Deloitte Insights

Related Deloitte Insights

Four years after the Dodd–Frank Act went into effect, progress toward implementation and reform has been made in some areas, while work in other areas is just getting started. David Wright, managing director of Deloitte & Touche LLP’s Banking & Securities regulatory practice, discusses four key areas that will likely have a major impact on whether Dodd-Frank eventually achieves its intended objectives: capital, liquidity, resolution and governance.

Regulatory trends that made headlines in the energy industry during 2014 will continue to unfold or accelerate in 2015. Market participants should look for aggressive enforcement to continue, ongoing uncertainty about regulations and legislation, continued scrutiny of hedging practices and the need for greater trade surveillance.

As of December 15, 2014, the new 2013 COSO framework superseded the 1992 version for companies applying and referencing COSO’s internal control framework for purposes of complying with Section 404 of the Sarbanes-Oxley Act of 2002. For banks and capital markets firms, which operate under a complex regulatory environment, the transition to the new framework involves careful considerations.

Deloitte Views & Analysis

Risk modeling has been prevalent for years in certain industries in which taking calculated risk is integral to the business, such as financial services and energy. Wider availability of data and sophisticated analysis capabilities is making modeling more practical; at the same time, the need to cope with an increasingly risky environment is making it more valued. Dr. Patchin Curtis, leader of Deloitte’s Center for Risk Modeling and Simulation, discusses how risk modeling can be made an integral part of enterprise risk management.

With reputation risks gaining increasing attention, companies plan to address reputation risk by investing in technology, such as analytical and brand monitoring tools, to help strengthen their risk-sensing capabilities, according to the “2014 Reputation@Risk” survey of more than 300 executives, conducted by Forbes Insights on behalf of Deloitte Touche Tohmatsu Limited. They also plan to invest in data, including traditional media/negative mention monitoring, social media data, surveying and other data sources.

Concerns are being raised over big data’s impact on privacy. There are fears that fundamental protections are now challenged by the sheer velocity, veracity and volume of data and how it can be manipulated. The traditional idea of a trade-off between privacy and innovation is giving way to a broader use of analytics, which can protect personal privacy while driving strategic goals.

Board Risk Committees and the Roles of the CRO and CFO

While many large financial services companies have already established board-level risk committees, many others have not, despite proposed requirements in the works at the Federal Reserve, as mandated under the Dodd-Frank Wall Street Reform and Consumer Protection Act. Once finalized, the rules are expected to require bank holding companies with more than $50 billion in assets (or at least $10 billion in assets if publicly traded), as well as non-bank financial companies deemed systemically important, to establish a risk committee separate from both the board-level audit committee and management’s own risk committee.

While risk committees are not new for major banks, in many cases they have focused primarily on credit, market and liquidity risks. The rules proposed by the Federal Reserve may broaden those risk committees’ responsibilities to include oversight of the entire risk management program, which includes broad risks such as operational, reputational and strategic risks. The proposed rules do not allow board risk committees to be housed within another board committee; the committees must report directly to the board and must receive and review regular reports from the chief risk officer (CRO).

Roles for Both CROs and CFOs

Although the CRO will be the main management-level contact for risk committees at many large financial services companies, CFOs are also expected to play an important role. That is especially true for the many companies that do not yet have CROs but are looking to refresh their thinking with regard to risk governance and oversight, for companies looking to emulate board level risk committees or if the current mandate is broadened in time to include companies outside of financial services. “What we find is that outside of financial services, there aren’t a lot of CROs,” says Henry Ristuccia, partner, Deloitte & Touche LLP, and global leader, Governance, Risk and Compliance Services, Deloitte Touche Tohmatsu Limited. “But when there isn’t a CRO, we find that, about 80% of the time, CFOs say they are primarily responsible for risk management at the organization.” In these cases, CFOs can serve as a bridge between business units, management, the CRO and the board, providing necessary information and experience to fill the gaps.

“For CROs and CFOs, as for the entire C-suite, it’s about creating and increasing value in the organization,” says Mr. Ristuccia. “The appropriate level of risk oversight doesn’t just help protect value, but also helps the organization find where the next dollar of value is coming from or where the next frontier of value is. So that’s a real call to action. Some CROs and CFOs are already doing it, tying value creation to a risk program. I think you’ll see that happening more and more.”

The emergence of new risk committees can also potentially serve as an important channel for CFOs with risk management experience to expand their career paths as board members.

“I would look at this as an opportunity for CFOs, as well as CROs, to become more strategic thinkers,” says Maureen Errity, director, Deloitte LLP, Deloitte Center for Corporate Governance. “This is about risk, but it’s also about strategy and how can you get the most value out of your strategy by thinking about risks of and to the strategy. Are there other paths to increase value of the strategy and if so what are the associated risks? And so a board is going to look at that individual as a real asset, as a strategic thinker.”

A New Approach to Risk Oversight

Under the proposed rules, the risk committee would have specific responsibilities that include, but are not limited to, oversight and approval of the enterprise risk management framework commensurate with the complexity of the company, including:

Risk limitations appropriate to each of the company’s business lines.

Appropriate policies and procedures relating to risk management governance, risk management practices and risk control infrastructure for the enterprise as a whole.

Processes and systems for identifying and reporting risks and risk-management deficiencies, including emerging risks, on an enterprise-wide basis.

Monitoring of compliance with the company’s risk limit structure and policies and procedures relating to risk management governance, practices and risk controls across the enterprise.

Specification of management and employees’ authority and independence to carry out risk management responsibilities.

Integration of risk management and control objectives in management goals and the company’s compensation structure.

Not every company will need a board risk committee. However, those that consider establishing one and, for that matter, any committee that is designated as owner of risk oversight, might consider the following questions:

How will the needs of the enterprise and stakeholders be taken into consideration in the board’s assessment of the quality and comprehensiveness of the current risk governance and oversight structure, as well as in its assessment of the risk environment? Again, CFOs could play an important role here given their deep understanding of the company’s performance and pressures.

How will risk governance be aligned with management’s strategy, the organization’s business model and the business units? To promote risk-taking for reward in the context of sound risk governance, the board, management—including the CFO as the organization’s financial steward—and business units should be aligned in their approach to risk and strategy.

What is the appropriate scope of the risk committee’s responsibilities? For example, oversight of risks associated with financial reporting may remain under the audit committee, which owns risk oversight in many companies, while risks associated with executive compensation plans might remain with the compensation committee. Because the CFO typically has a perspective on the various risks the organization faces and their interconnectivity, he or she may have an opinion on the risk committee’s scope of responsibilities.

How will the risk committee keep the board and other committees informed about risks and risk-oversight practices? Efficiency and effectiveness call for clear boundaries, communication channels and handoff points. This need may require the board to define these elements clearly, making adjustments as needed.